Proactive real-time security intelligence: Moving beyond conventional SIEM

Surprisingly, discussions about security intelligence still focus primarily around conventional reactive Security Incident and Event Management systems (SIEM). However, in today’s highly active and complex landscape security professionals need to move from this reactive model to proactively using this security intelligence to protect their businesses. A proactive model which enables to predict security incidents and events besides preventing and detecting them.

The key to understanding how to move from reactive SIEM to proactive security intelligence can be found in the basic information which is fed into security intelligence technology. The difference doesn’t lie in the type of basic information which is used — rather it is about the holistic, actuality, and granularity level of the information. This is in turn is related to the method used to meet that holistic, actuality and granularity level.

Fundamentally, the information needed for proactive and reactive security intelligence is the same and covers Threat Intelligence, Asset Information (e.g. software, patches, etc.) and Countermeasure Information – but the fine details differ.

Threat intelligence
The technology required for threat intelligence is more or less the same for the reactive and the proactive security approach. In both situations, this information will be collected from external sources and vulnerability scanning. A threat can be for example vulnerability in Java version X.

Asset information
The asset information, however, in conventional SIEM is acquired from a general purpose configuration management database (CMDB), often initially setup for service management and/ or license management purposes. Service management and license management are administrative processes, which require a much less actual and granular state of assets compared to proactive security intelligence. The holistic level is more or less the same for service management, license management, and security intelligence processes. To elaborate, service management and license management are often satisfied when the following two questions can be respectively answered:

  • Who currently owns which asset and where is it located?
  • How many licenses of software XYZ are in use?

But, from the perspective of security intelligence, there is need for a much more actual — as real-time as possible, and granular — as detailed as possible, state of assets. For example, the software version including patch level, register settings, etc.

CMDBs are often maintained by a combination of manual processes and automated processes based on time-based asset discovery technology, which may not run more than once per month. This is because a more actual state from the information point of view is not needed and/ or because of performance impact considerations.

To meet the information requirements for providing proactive security intelligence a dedicated Security specific Asset Management Database (AMDB) is advisable. Two methods are available for building up a security specific AMDB with holistic, actual, and granular asset information: network-based and Host-based/agent-based.

The host-based method provides the maximum advantage of the holistic, actual, and granular state. This is because the network-based method is challenged by end-to-end application encryption — which is becoming more standardized with time. Also, there are many client-only applications with no network traffic at all.

At this stage combine threat intelligence and asset information, and the “Which threats are applicable to which assets?” question can be answered.

Countermeasure information
The last information element needed for proactive security intelligence is countermeasure information. This information element must provide a holistic insight into the actual and granular state of the countermeasures applied to the asset. In general, three questions need to be answered at this stage:

  • Which data, application, endpoint, and network countermeasures are in place within the organization?
  • Are these countermeasures available to the specific asset?
  • What is the state of the specific instance of the countermeasure on the specific asset?

A holistic view on countermeasure information can be gathered from the organization — data, application, endpoint, and network- security management environments, if possible combined with some countermeasure information which can be provided by the asset information agent.

Building a multi-disciplinary threat management team
Conclusively, for effective and efficient proactive security intelligence the following questions must be answered:

  • Threat Intelligence: “Which threats are out there?”
  • Asset Information: “What is the holistic, actual, and granular state of assets?” and “For which assets are those threats relevant?”
  • Countermeasure Information: “What is the holistic, actual and granular state of countermeasures?” and “For which assets are those countermeasures available?”

The proactive security intelligence solution itself must provide some functions to “drill-down” and “roll-up” from threats to assets to countermeasures, advise possible security actions, and the capability to risk-based classify assets. Depending on the outcome, security actions can be planned, like updating anti-malware or (host-based) intrusion protection systems, deploying a patch, or as simple as (temporarily) blocking a website with the content filter. Since the security action can impact multiple architectural domains, i.e. data, application, endpoint, network, security, it is important to form a multi-disciplinary threat management team. This team meets on a scheduled periodic basis and is aware that it can be called up whenever there is a need to evaluate a situation — to analyze and discuss threats and plan security actions in a proactive way.

Finally, the holistic (complete), actual (as real-time as possible), and granular (detailed) view on assets and countermeasures provided by the proactive security intelligence solution can be re-used in the reactive security intelligence solution (SIEM). This will make the reactive security intelligence process more effective (improving sensitivity and specificity) and efficient (highly automated).

This holistic approach to security intelligence enables organizations to better anticipate cyberattacks and respond adequately. The solutions to deliver these capabilities are available now, and implementing is less complex than it initially appears. However, it is essential that the right architectural decisions are made early on.